CVE-2023-5235
📋 TL;DR
This vulnerability in the Ovic Responsive WPBakery WordPress plugin allows attackers with subscriber-level accounts or higher to modify critical WordPress settings and potentially execute arbitrary code through PHP object injection. It affects WordPress sites using vulnerable versions of this plugin.
💻 Affected Systems
- Ovic Responsive WPBakery WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enable user registration, set default role to administrator, and execute arbitrary code leading to complete site compromise, data theft, or malware installation.
Likely Case
Attackers would enable open registration with administrator privileges, creating backdoor accounts to take control of the WordPress site.
If Mitigated
With proper access controls and input validation, impact would be limited to unauthorized setting changes that could be detected and reverted.
🎯 Exploit Status
Exploitation requires subscriber-level authentication. The vulnerability is well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.9
Vendor Advisory: https://wpscan.com/vulnerability/35c9a954-37fc-4818-a71f-34aaaa0fa3db
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Ovic Responsive WPBakery' and update to version 1.2.9 or later. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allRemove or restrict access to the vulnerable AJAX actions in the plugin
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_ovic_ajax_action', 'ovic_ajax_callback'); remove_action('wp_ajax_nopriv_ovic_ajax_action', 'ovic_ajax_callback');
Disable plugin temporarily
linuxDeactivate the plugin until patched
wp plugin deactivate ovic-responsive-wpbakery
🧯 If You Can't Patch
- Restrict user registration to administrator-only and monitor user accounts
- Implement web application firewall rules to block suspicious AJAX requests to the plugin
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 1.2.9, you are vulnerable.Check Version:
wp plugin get ovic-responsive-wpbakery --field=versionVerify Fix Applied:
Verify plugin version is 1.2.9 or higher and test that user role settings cannot be modified by subscriber accounts.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'ovic'
- Unexpected changes to WordPress options like 'users_can_register' or 'default_role'
- New user registrations with elevated privileges
Network Indicators:
- POST requests to admin-ajax.php with serialized PHP objects in parameters
- Multiple failed authentication attempts followed by successful subscriber login
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "ovic") OR ("option_name" IN ("users_can_register", "default_role") AND "option_value" CHANGED)